Mercurial > p > roundup > code


  
4308


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


     1 I'm proud to release version 1.4.11 of Roundup which fixes a number bugs


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


     2 and closes a potential security hole.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


     3 


4309


4ce71b5480a8
release stuff

Richard Jones <richard@users.sourceforge.net>
parents: 
4308
diff
changeset


     4 ALL tracker maintainers MUST read the upgrading documentation to make sure


4308


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


     5 the hole is fixed in their tracker.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


     6 


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


     7 Other changes in this release:


4117


4d1fa6e1fe8c
release stuff

Richard Jones <richard@users.sourceforge.net>
parents: 
4110
diff
changeset


     8 


4308


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


     9 - Generic class editor may now restore retired items (thanks Ralf Hemmecke)


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    10 - Fix security hole allowing user permission escalation (thanks Ralf


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    11   Schlatterbeck)


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    12 - More SSL fixes. SSL wants the underlying socket non-blocking. So we


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    13   don't call socket.setdefaulttimeout in case of SSL. This apparently


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    14   never raises a WantReadError from SSL.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    15   This also fixes a case where a WantReadError is raised and apparently


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    16   the bytes already read are dropped (seems the WantReadError is really


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    17   an error, not just an indication to retry).


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    18 - Correct initial- and end-handshakes for SSL


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    19 - Update FAQ to mention infinite redirects with pathological settings of


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    20   the tracker->web variable. Closes issue2537286, thanks to "stuidge"


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    21   for reporting.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    22 - Fix some format errors in italian translation file


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    23 - Some bugs issue classifiers were causing database lookup errors


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    24 - Fix security-problem: If user hasn't permission on a message (notably


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    25   files and content properties) and is on the nosy list, the content was


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    26   sent via email. We now check that user has permission on the message


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    27   content and files properties. Thanks to Intevation for funding this


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    28   fix.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    29 - Fix traceback on .../msgN/ url, this requests the file content and for


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    30   apache mod_wsgi produced a traceback because the mime type is None for


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    31   messages, fixes issue2550586, thanks to Thomas Arendsen Hein for


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    32   reporting and to Intevation for funding the fix.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    33 - Handle OPTIONS http request method in wsgi handler, fixes issue2550587.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    34   Thanks to Thomas Arendsen Hein for reporting and to Intevation for


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    35   funding the fix.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    36 - Add documentation for migrating to the Register permission and


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    37   fix mailgw to use Register permission, fixes issue2550599


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    38 - Fix styling of calendar to make it more usable, fixes issue2550608


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    39 - Fix typo in email section of user guide, fixes issue2550607


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    40 - Fix WSGI response code (thanks Peter Pöml)


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    41 - Fix linking of an existing item to a newly created item, e.g.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    42   edit action in web template is name="issue-1@link@msg" value="msg1"


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    43   would trigger a traceback about an unbound variable.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    44   Add new regression test for this case. May be related to (now closed)


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    45   issue1177477. Thanks to Intevation for funding the fix.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    46 - Clean up all the places where role processing occurs. This is now in a


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    47   central place in hyperdb.Class and is used consistently throughout.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    48   This also means now a template can override the way role processing


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    49   occurs (e.g. for elaborate permission schemes). Thanks to intevation


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    50   for funding the change.


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    51 - Fix issue2550606 (german translation bug) "an hour" is only used in


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    52   the context "in an hour" or "an hour ago" which translates to german


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    53   "in einer Stunde" or "vor einer Stunde".  So "an hour" is translated


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    54   "einer Stunde" (which sounds wrong at first).  Also note that date.py


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    55   already has a comment saying "XXX this is internationally broken" --


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    56   but at least there's a workaround for german :-) Thanks to Chris


b30bdfae4461
Fix security hole allowing user permission escalation

Richard Jones <richard@users.sourceforge.net>
parents: 
4270
diff
changeset


    57   (radioking) for reporting.


3722


41feeed84caa
*** empty log message ***

Richard Jones <richard@users.sourceforge.net>
parents: 
3721
diff
changeset


    58 


2253


91118ac2fa7f
pre-release stuff

Richard Jones <richard@users.sourceforge.net>
parents: 
2219
diff
changeset


    59 If you're upgrading from an older version of Roundup you *must* follow


91118ac2fa7f
pre-release stuff

Richard Jones <richard@users.sourceforge.net>
parents: 
2219
diff
changeset


    60 the "Software Upgrade" guidelines given in the maintenance documentation.


91118ac2fa7f
pre-release stuff

Richard Jones <richard@users.sourceforge.net>
parents: 
2219
diff
changeset


    61 


4226


d0a3ac73b4c1
clarify python version

Richard Jones <richard@users.sourceforge.net>
parents: 
4117
diff
changeset


    62 Roundup requires python 2.3 or later (but not 3+) for correct operation.


1291


bf8b2380adb3
added CGI :remove:<propname> and :add:<propname>...

Richard Jones <richard@users.sourceforge.net>
parents: 
1286
diff
changeset


    63 


1780


d2801a2b0a77
Initial implementation (half-baked) at new Tracker instance.

Richard Jones <richard@users.sourceforge.net>
parents: 
1744
diff
changeset


    64 To give Roundup a try, just download (see below), unpack and run::


d2801a2b0a77
Initial implementation (half-baked) at new Tracker instance.

Richard Jones <richard@users.sourceforge.net>
parents: 
1744
diff
changeset


    65 


3647


d4112ddfc0bb
doc fixes

Richard Jones <richard@users.sourceforge.net>
parents: 
3614
diff
changeset


    66     roundup-demo


282


fb1b67a8fd98
Reverted a change in hyperdb...

Richard Jones <richard@users.sourceforge.net>
parents: 
281
diff
changeset


    67 


3537


d819ff1b3116
*** empty log message ***

Richard Jones <richard@users.sourceforge.net>
parents: 
3536
diff
changeset


    68 Release info and download page:


3539


27700fe2d7c6
oops

Richard Jones <richard@users.sourceforge.net>
parents: 
3537
diff
changeset


    69      http://cheeseshop.python.org/pypi/roundup


282


fb1b67a8fd98
Reverted a change in hyperdb...

Richard Jones <richard@users.sourceforge.net>
parents: 
281
diff
changeset


    70 Source and documentation is available at the website:


320


61c42790c3f1
Bugfix in filter "widget" placement, thanks Roch'e

Richard Jones <richard@users.sourceforge.net>
parents: 
316
diff
changeset


    71      http://roundup.sourceforge.net/


286


2313560b8477
Initial cut at trying to handle people responding to CC'ed messages...

Richard Jones <richard@users.sourceforge.net>
parents: 
283
diff
changeset


    72 Mailing lists - the place to ask questions:


320


61c42790c3f1
Bugfix in filter "widget" placement, thanks Roch'e

Richard Jones <richard@users.sourceforge.net>
parents: 
316
diff
changeset


    73      http://sourceforge.net/mail/?group_id=31577


286


2313560b8477
Initial cut at trying to handle people responding to CC'ed messages...

Richard Jones <richard@users.sourceforge.net>
parents: 
283
diff
changeset


    74 


2313560b8477
Initial cut at trying to handle people responding to CC'ed messages...

Richard Jones <richard@users.sourceforge.net>
parents: 
283
diff
changeset


    75 


282


fb1b67a8fd98
Reverted a change in hyperdb...

Richard Jones <richard@users.sourceforge.net>
parents: 
281
diff
changeset


    76 About Roundup


fb1b67a8fd98
Reverted a change in hyperdb...

Richard Jones <richard@users.sourceforge.net>
parents: 
281
diff
changeset


    77 =============


241


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    78 


2030


3f6e27e9b063
tweaks to make un-quoted-printable-aware readers bitch and moan to me less

Richard Jones <richard@users.sourceforge.net>
parents: 
1780
diff
changeset


    79 Roundup is a simple-to-use and -install issue-tracking system with


3f6e27e9b063
tweaks to make un-quoted-printable-aware readers bitch and moan to me less

Richard Jones <richard@users.sourceforge.net>
parents: 
1780
diff
changeset


    80 command-line, web and e-mail interfaces. It is based on the winning design


241


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    81 from Ka-Ping Yee in the Software Carpentry "Track" design competition.


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    82 


2030


3f6e27e9b063
tweaks to make un-quoted-printable-aware readers bitch and moan to me less

Richard Jones <richard@users.sourceforge.net>
parents: 
1780
diff
changeset


    83 Note: Ping is not responsible for this project. The contact for this


3f6e27e9b063
tweaks to make un-quoted-printable-aware readers bitch and moan to me less

Richard Jones <richard@users.sourceforge.net>
parents: 
1780
diff
changeset


    84 project is richard@users.sourceforge.net.


241


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    85 


2030


3f6e27e9b063
tweaks to make un-quoted-printable-aware readers bitch and moan to me less

Richard Jones <richard@users.sourceforge.net>
parents: 
1780
diff
changeset


    86 Roundup manages a number of issues (with flexible properties such as


659


e429649ed124
More documentation cleanups.

Richard Jones <richard@users.sourceforge.net>
parents: 
580
diff
changeset


    87 "description", "priority", and so on) and provides the ability to:


e429649ed124
More documentation cleanups.

Richard Jones <richard@users.sourceforge.net>
parents: 
580
diff
changeset


    88 


e429649ed124
More documentation cleanups.

Richard Jones <richard@users.sourceforge.net>
parents: 
580
diff
changeset


    89 (a) submit new issues,


e429649ed124
More documentation cleanups.

Richard Jones <richard@users.sourceforge.net>
parents: 
580
diff
changeset


    90 (b) find and edit existing issues, and


e429649ed124
More documentation cleanups.

Richard Jones <richard@users.sourceforge.net>
parents: 
580
diff
changeset


    91 (c) discuss issues with other participants.


e429649ed124
More documentation cleanups.

Richard Jones <richard@users.sourceforge.net>
parents: 
580
diff
changeset


    92 


241


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    93 The system will facilitate communication among the participants by managing


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    94 discussions and notifying interested parties when issues are edited. One of


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    95 the major design goals for Roundup that it be simple to get going. Roundup


4226


d0a3ac73b4c1
clarify python version

Richard Jones <richard@users.sourceforge.net>
parents: 
4117
diff
changeset


    96 is therefore usable "out of the box" with any python 2.3+ (but not 3+)


d0a3ac73b4c1
clarify python version

Richard Jones <richard@users.sourceforge.net>
parents: 
4117
diff
changeset


    97 installation. It doesn't even need to be "installed" to be operational,


d0a3ac73b4c1
clarify python version

Richard Jones <richard@users.sourceforge.net>
parents: 
4117
diff
changeset


    98 though an install script is provided.


241


54da66e7e583
Added the release announcement text to the repo...

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    99 


1102


d94bd5369456
first cut at 0.5 announcement

Richard Jones <richard@users.sourceforge.net>
parents: 
797
diff
changeset


   100 It comes with two issue tracker templates (a classic bug/feature tracker and


3943


d5d815489f63
oops

Richard Jones <richard@users.sourceforge.net>
parents: 
3942
diff
changeset


   101 a minimal skeleton) and four database back-ends (anydbm, sqlite, mysql


d5d815489f63
oops

Richard Jones <richard@users.sourceforge.net>
parents: 
3942
diff
changeset


   102 and postgresql).


1102


d94bd5369456
first cut at 0.5 announcement

Richard Jones <richard@users.sourceforge.net>
parents: 
797
diff
changeset


   103
author	Richard Jones <richard@users.sourceforge.net>
date	Fri, 05 Feb 2010 05:10:52 +0000
parents	4ce71b5480a8
children	e2be38b52d4d
rev	line source
4308 b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	1 I'm proud to release version 1.4.11 of Roundup which fixes a number bugs
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	2 and closes a potential security hole.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	3
4309 4ce71b5480a8 release stuff Richard Jones <richard@users.sourceforge.net> parents: 4308 diff changeset	4 ALL tracker maintainers MUST read the upgrading documentation to make sure
4308 b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	5 the hole is fixed in their tracker.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	6
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	7 Other changes in this release:
4117 4d1fa6e1fe8c release stuff Richard Jones <richard@users.sourceforge.net> parents: 4110 diff changeset	8
4308 b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	9 - Generic class editor may now restore retired items (thanks Ralf Hemmecke)
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	10 - Fix security hole allowing user permission escalation (thanks Ralf
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	11 Schlatterbeck)
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	12 - More SSL fixes. SSL wants the underlying socket non-blocking. So we
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	13 don't call socket.setdefaulttimeout in case of SSL. This apparently
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	14 never raises a WantReadError from SSL.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	15 This also fixes a case where a WantReadError is raised and apparently
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	16 the bytes already read are dropped (seems the WantReadError is really
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	17 an error, not just an indication to retry).
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	18 - Correct initial- and end-handshakes for SSL
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	19 - Update FAQ to mention infinite redirects with pathological settings of
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	20 the tracker->web variable. Closes issue2537286, thanks to "stuidge"
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	21 for reporting.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	22 - Fix some format errors in italian translation file
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	23 - Some bugs issue classifiers were causing database lookup errors
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	24 - Fix security-problem: If user hasn't permission on a message (notably
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	25 files and content properties) and is on the nosy list, the content was
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	26 sent via email. We now check that user has permission on the message
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	27 content and files properties. Thanks to Intevation for funding this
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	28 fix.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	29 - Fix traceback on .../msgN/ url, this requests the file content and for
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	30 apache mod_wsgi produced a traceback because the mime type is None for
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	31 messages, fixes issue2550586, thanks to Thomas Arendsen Hein for
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	32 reporting and to Intevation for funding the fix.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	33 - Handle OPTIONS http request method in wsgi handler, fixes issue2550587.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	34 Thanks to Thomas Arendsen Hein for reporting and to Intevation for
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	35 funding the fix.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	36 - Add documentation for migrating to the Register permission and
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	37 fix mailgw to use Register permission, fixes issue2550599
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	38 - Fix styling of calendar to make it more usable, fixes issue2550608
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	39 - Fix typo in email section of user guide, fixes issue2550607
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	40 - Fix WSGI response code (thanks Peter Pöml)
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	41 - Fix linking of an existing item to a newly created item, e.g.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	42 edit action in web template is name="issue-1@link@msg" value="msg1"
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	43 would trigger a traceback about an unbound variable.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	44 Add new regression test for this case. May be related to (now closed)
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	45 issue1177477. Thanks to Intevation for funding the fix.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	46 - Clean up all the places where role processing occurs. This is now in a
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	47 central place in hyperdb.Class and is used consistently throughout.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	48 This also means now a template can override the way role processing
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	49 occurs (e.g. for elaborate permission schemes). Thanks to intevation
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	50 for funding the change.
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	51 - Fix issue2550606 (german translation bug) "an hour" is only used in
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	52 the context "in an hour" or "an hour ago" which translates to german
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	53 "in einer Stunde" or "vor einer Stunde". So "an hour" is translated
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	54 "einer Stunde" (which sounds wrong at first). Also note that date.py
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	55 already has a comment saying "XXX this is internationally broken" --
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	56 but at least there's a workaround for german :-) Thanks to Chris
b30bdfae4461 Fix security hole allowing user permission escalation Richard Jones <richard@users.sourceforge.net> parents: 4270 diff changeset	57 (radioking) for reporting.
3722 41feeed84caa * empty log message * Richard Jones <richard@users.sourceforge.net> parents: 3721 diff changeset	58
2253 91118ac2fa7f pre-release stuff Richard Jones <richard@users.sourceforge.net> parents: 2219 diff changeset	59 If you're upgrading from an older version of Roundup you must follow
91118ac2fa7f pre-release stuff Richard Jones <richard@users.sourceforge.net> parents: 2219 diff changeset	60 the "Software Upgrade" guidelines given in the maintenance documentation.
91118ac2fa7f pre-release stuff Richard Jones <richard@users.sourceforge.net> parents: 2219 diff changeset	61
4226 d0a3ac73b4c1 clarify python version Richard Jones <richard@users.sourceforge.net> parents: 4117 diff changeset	62 Roundup requires python 2.3 or later (but not 3+) for correct operation.
1291 bf8b2380adb3 added CGI :remove:<propname> and :add:<propname>... Richard Jones <richard@users.sourceforge.net> parents: 1286 diff changeset	63
1780 d2801a2b0a77 Initial implementation (half-baked) at new Tracker instance. Richard Jones <richard@users.sourceforge.net> parents: 1744 diff changeset	64 To give Roundup a try, just download (see below), unpack and run::
d2801a2b0a77 Initial implementation (half-baked) at new Tracker instance. Richard Jones <richard@users.sourceforge.net> parents: 1744 diff changeset	65
3647 d4112ddfc0bb doc fixes Richard Jones <richard@users.sourceforge.net> parents: 3614 diff changeset	66 roundup-demo
282 fb1b67a8fd98 Reverted a change in hyperdb... Richard Jones <richard@users.sourceforge.net> parents: 281 diff changeset	67
3537 d819ff1b3116 * empty log message * Richard Jones <richard@users.sourceforge.net> parents: 3536 diff changeset	68 Release info and download page:
3539 27700fe2d7c6 oops Richard Jones <richard@users.sourceforge.net> parents: 3537 diff changeset	69 http://cheeseshop.python.org/pypi/roundup
282 fb1b67a8fd98 Reverted a change in hyperdb... Richard Jones <richard@users.sourceforge.net> parents: 281 diff changeset	70 Source and documentation is available at the website:
320 61c42790c3f1 Bugfix in filter "widget" placement, thanks Roch'e Richard Jones <richard@users.sourceforge.net> parents: 316 diff changeset	71 http://roundup.sourceforge.net/
286 2313560b8477 Initial cut at trying to handle people responding to CC'ed messages... Richard Jones <richard@users.sourceforge.net> parents: 283 diff changeset	72 Mailing lists - the place to ask questions:
320 61c42790c3f1 Bugfix in filter "widget" placement, thanks Roch'e Richard Jones <richard@users.sourceforge.net> parents: 316 diff changeset	73 http://sourceforge.net/mail/?group_id=31577
286 2313560b8477 Initial cut at trying to handle people responding to CC'ed messages... Richard Jones <richard@users.sourceforge.net> parents: 283 diff changeset	74
2313560b8477 Initial cut at trying to handle people responding to CC'ed messages... Richard Jones <richard@users.sourceforge.net> parents: 283 diff changeset	75
282 fb1b67a8fd98 Reverted a change in hyperdb... Richard Jones <richard@users.sourceforge.net> parents: 281 diff changeset	76 About Roundup
fb1b67a8fd98 Reverted a change in hyperdb... Richard Jones <richard@users.sourceforge.net> parents: 281 diff changeset	77 =============
241 54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	78
2030 3f6e27e9b063 tweaks to make un-quoted-printable-aware readers bitch and moan to me less Richard Jones <richard@users.sourceforge.net> parents: 1780 diff changeset	79 Roundup is a simple-to-use and -install issue-tracking system with
3f6e27e9b063 tweaks to make un-quoted-printable-aware readers bitch and moan to me less Richard Jones <richard@users.sourceforge.net> parents: 1780 diff changeset	80 command-line, web and e-mail interfaces. It is based on the winning design
241 54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	81 from Ka-Ping Yee in the Software Carpentry "Track" design competition.
54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	82
2030 3f6e27e9b063 tweaks to make un-quoted-printable-aware readers bitch and moan to me less Richard Jones <richard@users.sourceforge.net> parents: 1780 diff changeset	83 Note: Ping is not responsible for this project. The contact for this
3f6e27e9b063 tweaks to make un-quoted-printable-aware readers bitch and moan to me less Richard Jones <richard@users.sourceforge.net> parents: 1780 diff changeset	84 project is richard@users.sourceforge.net.
241 54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	85
2030 3f6e27e9b063 tweaks to make un-quoted-printable-aware readers bitch and moan to me less Richard Jones <richard@users.sourceforge.net> parents: 1780 diff changeset	86 Roundup manages a number of issues (with flexible properties such as
659 e429649ed124 More documentation cleanups. Richard Jones <richard@users.sourceforge.net> parents: 580 diff changeset	87 "description", "priority", and so on) and provides the ability to:
e429649ed124 More documentation cleanups. Richard Jones <richard@users.sourceforge.net> parents: 580 diff changeset	88
e429649ed124 More documentation cleanups. Richard Jones <richard@users.sourceforge.net> parents: 580 diff changeset	89 (a) submit new issues,
e429649ed124 More documentation cleanups. Richard Jones <richard@users.sourceforge.net> parents: 580 diff changeset	90 (b) find and edit existing issues, and
e429649ed124 More documentation cleanups. Richard Jones <richard@users.sourceforge.net> parents: 580 diff changeset	91 (c) discuss issues with other participants.
e429649ed124 More documentation cleanups. Richard Jones <richard@users.sourceforge.net> parents: 580 diff changeset	92
241 54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	93 The system will facilitate communication among the participants by managing
54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	94 discussions and notifying interested parties when issues are edited. One of
54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	95 the major design goals for Roundup that it be simple to get going. Roundup
4226 d0a3ac73b4c1 clarify python version Richard Jones <richard@users.sourceforge.net> parents: 4117 diff changeset	96 is therefore usable "out of the box" with any python 2.3+ (but not 3+)
d0a3ac73b4c1 clarify python version Richard Jones <richard@users.sourceforge.net> parents: 4117 diff changeset	97 installation. It doesn't even need to be "installed" to be operational,
d0a3ac73b4c1 clarify python version Richard Jones <richard@users.sourceforge.net> parents: 4117 diff changeset	98 though an install script is provided.
241 54da66e7e583 Added the release announcement text to the repo... Richard Jones <richard@users.sourceforge.net> parents: diff changeset	99
1102 d94bd5369456 first cut at 0.5 announcement Richard Jones <richard@users.sourceforge.net> parents: 797 diff changeset	100 It comes with two issue tracker templates (a classic bug/feature tracker and
3943 d5d815489f63 oops Richard Jones <richard@users.sourceforge.net> parents: 3942 diff changeset	101 a minimal skeleton) and four database back-ends (anydbm, sqlite, mysql
d5d815489f63 oops Richard Jones <richard@users.sourceforge.net> parents: 3942 diff changeset	102 and postgresql).
1102 d94bd5369456 first cut at 0.5 announcement Richard Jones <richard@users.sourceforge.net> parents: 797 diff changeset	103